Spy platform zero day exposes cops' wiretapped calls

Common Topics

National security boosters have just taken a kick to the ego, with revelations that hackers can access exactly the kind of wiretap kit they believe should be deployed in every ISP and telco around the world.

The zero-day that's turned up in kit from New Jersey outfit NICE would give attackers access to wiretapped voice recordings along with names and email addresses for suspects monitored by police.

Prolificfailflaunter, SEC Consult Vulnerability Lab, quietly disclosed nine flaws to NICE and went public after five holes remained unpatched nearly six months after being reported.

The flaws included a root backdoor and remote unauthenticated access to intercepted voice recordings. Hackers could also break into the voice recording server and move laterally to launch further attacks against internal voice virtual local area networks.

The security bods strongly recommended cops stop using the platform until the flaws were fixed and further testing was done.

NICE comms director Erik Snider said customers were notified of the flaws and downplayed the risk of attack.

"We have been addressing the issues based on priority, and can confirm that we have already resolved almost all of them, and expect the remaining fixes to be completed shortly," Snider said.

"We do not believe any of our customers have been impacted by the items raised in this report, as these systems are deployed in a very secure environment and are not accessible outside of the organisation."

He did not respond by the time of publication to El Reg's request to explain how the platform was not accessible outside organisations.

The backdoor was a hidden and hard coded administrator account within the platform's MySQL deployment and together with exposed voice recordings was the most severe of the published vulnerabilities.

"For example, unauthenticated attackers are able to gain access to exported lists of user accounts that are being monitored/recorded. Attackers gain access to detailed information such as personal data like first/last name, email address and username/extension," researchers Johannes Greil and Stefan Viehböck wrote in a disclosure.

Multiple cross site scripting and SQL injection flaws were also reported. The penetration testers said further critical vulnerabilities were assumed present. ®